Move the <msubsup> formatting code in stretchToHeight() to layout(). Then revise the
combined code to produce more vertically accurate results, and without extra white
space. Finally, don't multiply msub/msup/msubsup operator stretching by 1.2.

Test: Added the bug report's attached test case to mathml/presentation/subsup.xhtml, and
it and 5 other test files in mathml/presentation now produce improved results. The
integral sign in mo-stretch.html is no longer scaled up by an extra 1.2, and baselines
are more accurate so the base is higher in msubsup-sub-changed.png. Several examples are
slightly tighter vertically, because their (somewhat) anonymous blocks wrapping
subscripts and superscripts now have the correct font size.

Originally EventFactory.in was just used to generate EventFactory.cpp,
but now we're able to generate a bunch of other Event-related code from
this "in" file.

In writing some documentation about how to use these mechanisms, the
name EventFactory.in didn't seem like the right name. This patch
renames EventFactory.in to EventNames.in, which more accurately
describes the role of this file (and matches the naming convention of
HTMLTagNames.in).

This patch is simply an automated sort of the property constructors.
Presently they are all over the place and it is difficult to know where to insert new rules.
This patch provides a clear pattern and should reduce future conflicts when adding properties.

I amended canvas-composite-canvas to cover this bug, and I also amended
canvas-composite-image because I changed
LayoutTests/fast/canvas/resources/canvas-composite-image-common.js.
However, the change of canvas-composite-image is reasonable because
drawImage(HTMLImageElement) will be able to have a similar bug.

This patch changes calculateClipRects() so that the clipRect
offset is allowed to be converted across layers with
transforms. This is necessary because the RenderLayerCompositor
needs clipRects in document space, rather than with respect to
some local clipping layer.

When initialising a chained get instruction we may end up in a state where
the instruction stream says we have a scopechain, but it has not yet been set
(eg. if allocating the StructureChain itself is what leads to the GC). We could
re-order the allocation, but it occurs in a couple of places, so it seems less
fragile simply to null check the scopechain slot before we actually visit the slot.

Remove WebPage::mainFrame() as it is bad to expose WebCore::Frame in
the public API, adapt to the change by adding a new method
WebPagePrivate::core(Const WebPage*) and expose it to
DumpRenderTreeSupport.

Empty inlines with line-height, vertical-alignment or font metrics should only get a linebox if there is some
other content in the line. So only create line boxes for such elements on lines that are not empty.

This patch fixes a regression where an empty inline with line-height was propagating its height to an empty line.
It also fixes cases where lines with content that had a leading empty inline element weren't respecting the
vertical alignment or font-height of the empty inline.

rendering/RenderBlockLineLayout.cpp:

(WebCore::RenderBlock::constructLine): only create line boxes for lines that are not empty.
(WebCore::requiresLineBoxForContent): an inline flow with line-height, vertical-alignment, or font-size

(WebCore::RenderTableSection::fullTableRowSpan):
(WebCore::RenderTableSection::fullTableColumnSpan):
Those functions return the span corresponding to the full table.

rendering/RenderTableSection.cpp:

(WebCore::RenderTableSection::dirtiedRows):
(WebCore::RenderTableSection::dirtiedColumns):
Those functions compute the rows / columns impacted by a |damageRect|. On the slow painting path, they
return the full table span.

(WebCore::RenderTableSection::paintObject):
Updated this function to call the new ones. Also we now inflate the local rectangle with the outlineSize.
This wasn't done previously and we had to manually patch some size comparison to account for the outline.

Due to r108322, resolve-supplemental.pl not only resolves supplemental
dependencies but also runs IDL attribute checker. For clarification,
this patch renames resolve-supplemental.pl to preprocess-idls.pl.

This patch adds [ConstructorParameters=X] to IDL files that have
custom constructors, where X is the maximum number of arguments
of the constructor. [ConstructorParameters=X] is needed for custom
constructors, because custom constructors do not have a signature
in IDL files and thus CodeGeneratorJS.pm cannot know the number of
constructor arguments.

This patch removes [ConstructorParameters] from IDL files that have [Constructor],
since CodeGeneratorJS.pm can automatically detect the number of constructor
arguments by the [Constructor(...)] signature.

insertedIntoTree/removedFromTree are only used by subclasses of
ContainerNode. Moreover, attempting to make use of these notifications
in a non-container Node would currently not work, because
Node::removedFromDocument/insertedIntoDocument do not dispatch to these methods.
Rather than adding useless calls to an always-empty virtual method,
this patch moves these methods to ContainerNode.

Meanwhile, childrenChanged moves to ContainerNode for an obvious reason:
non-container Nodes have no children to change.

(WebCore::ContainerNode::removeChild): Check that the removed child is a container node before notifying it of removal.
(WebCore::ContainerNode::parserRemoveChild): ditto.
(WebCore::ContainerNode::insertedIntoTree): Remove call to now-nonexistent Node::insertedIntoTree.
(WebCore::ContainerNode::removedFromTree): Remove call to now-nonexistent Node::removedFromTree.
(WebCore::ContainerNode::childrenChanged): Remove call to now-nonexistent Node::childrenChanged.
(WebCore::notifyChildInserted): Check that the inserted child is a container node before notifying it of insertion.

dom/ContainerNode.h:

(ContainerNode): Migrate comments from Node.h, point back at it for more notification methods.

Alas we can't provide the stack trace as an array, as despite everyone wanting
an array, everyone arbitrarily creates the array by calling split on the stack
trace. To create the array we would have provided them in the first place.

This changes the exception's stack property to a \n separated string. To get the
old array just do <exception>.stack.split("\n").

runtime/Error.cpp:

(JSC::addErrorInfo):

LayoutTests:

Update test case to handle Error.stack being a string rather than an array.

Add ImageBuffer support for having a hi-res backing store. This allows
ImageBuffer clients to specify a scale factor upon creation so that they
don't have to maintain that info themselves as they use/pass around the ImageBuffer.​https://bugs.webkit.org/show_bug.cgi?id=79395

Ensure that when selection handles leave the content bounding box that
the handle not being dragged remains fixed. Do not apply padding to a
direction that would cause the selection to shrink when performing the
handle direction detection.

The bug was caused by ReplacementFragment::m_hasInterchangeNewlineAtEnd not reset even when
text field's beforeTextInserted event handler removed interchange new lines at the end.
Because the event handler is responsible for trimming new lines, we need to recompute the values
for m_hasInterchangeNewlineAt* after the event dispatch.

The bug was caused by ReplacementFragment::m_hasInterchangeNewlineAtEnd not reset even when
text field's beforeTextInserted event handler removed interchange new lines at the end.
Because the event handler is responsible for trimming new lines, we need to recompute the values
for m_hasInterchangeNewlineAt* after the event dispatch.

Test: editing/input/paste-text-ending-with-interchange-newline.html

editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplacementFragment::ReplacementFragment):

LayoutTests:

Add a regression test. Also make Markup.dump() dump the shadow DOM of the specififed node.

This is a regression. r104183 changes containingBlock() so that it returns the container
of an anonymous block for positioned objects, not the anonymous block itself. We should
change markContainingBlocksForLayout() to match the change in containingBlock().

rendering/RenderObject.cpp:

(WebCore::RenderObject::markContainingBlocksForLayout):

LayoutTests:

Test case originally by Robin Cao. This exercises the crashing
condition in bug 78713.

lastIndex should be a regular data descriptor, with the attributes configurable:false,
enumerable:false, writable:true. As such, it should be possible to reconfigure writable
as false. If the lastIndex property is reconfigured to be read-only, we should respect
this correctly.

This was caused by not mapping the mouse event coordinates from window coordinates to
document coordinates.

WebProcess/WebPage/mac/WebPageMac.mm:

(WebKit::WebPage::performDictionaryLookupAtLocation): Convert the point to main frame
coordinates when performing the hit test.
(WebKit::WebPage::shouldDelayWindowOrderingEvent): Convert the point to the main or focused
frame coordinates when perfomring the hit test.
(WebKit::WebPage::acceptsFirstMouse): Ditto.

evas_object_image_data_set decreases the reference count and when the ref count become zero,
the function releases the cached image inside evas engine.
We should make a pair between evas_object_image_data_set/get to return evas resource.

This problem was caused by the inconsistent detach order of DOM tree where
Element::detach() called ContainerNode::detach() before shadow tree is detached.
This resulted the renderer of the element being destroyed even if its children,
each of which came from an element in the shadow tree, are alive.
In principle, child renderers should be destroyed before its parent.

This change aligns the detach order with the attach order. The shadow tree is
now deatched before parent's ContainerNode::detach() is called.

Introduced BaseClickableWithKeyInputType that represents an input type
that can be clicked by pressing space/return keys.
ColorInputType, FileInputType directly inherit it because it doesn't
want the other methods(like appendFormData) in BaseButtonInputType.

(WebCore):
(WebCore::BaseClickableWithKeyInputType::handleKeydownEvent): Moved from BaseButtonInputType
(WebCore::BaseClickableWithKeyInputType::handleKeypressEvent): Moved from BaseButtonInputType
(WebCore::BaseClickableWithKeyInputType::handleKeyupEvent): Moved from BaseButtonInputType
(WebCore::BaseClickableWithKeyInputType::accessKeyAction): Moved from BaseButtonInputType

html/BaseClickableWithKeyInputType.h:

(WebCore):
(BaseClickableWithKeyInputType): Input type that can be clicked by pressing space/return keys.
(WebCore::BaseClickableWithKeyInputType::BaseClickableWithKeyInputType):

(WebKit::RemoteLayerClient::create):
(WebKit::RemoteLayerClient::RemoteLayerClient):
(WebKit::RemoteLayerClient::~RemoteLayerClient):
(WebKit::RemoteLayerClient::clientID):
(WebKit::RemoteLayerClient::invalidate):
New class that encapsulates calls to WKSI WKCARemoteLayerClient*. For platforms
where the use of WKSI is not necessary, due to CARemoteLayerClient being available,
stop using WKSI.

Introduced the RefCountedArray class, which contains a single inline pointer
to a ref-counted non-resizeable vector backing store. This satisfies the
requirements of CodeBlock, which desires the ability to share instruction
streams with other CodeBlocks. It also reduces the number of loads required
for getting the instruction stream by one.

This patch also gets rid of the bytecode discarding logic, since we don't
use it anymore and it's unlikely to ever work right with DFG or LLInt. And
I didn't feel like porting dead code to use RefCountedArray.

This patch halves the execution time of Bindings/dom-attributes.html
in order to avoid timeout in Chromium. The reason for the timeout is that
V8 DOM bindings are too much slower than JSC bindings.
I am a bit afraid that this patch will reduce the accuracy of the
perf test results, but it would make sense to reduce the execution time
until we fix the performance issue in V8 DOM bindings.

This hooks up ScrollingCoordinator::setNonFastScrollableRegion() and
ScrollingCoordinator::setShouldUpdateScrollLayerPositionOnMainThread() to the chromium compositor
implementation and implements them on the impl thread.

New compositor behavior is covered by unit tests in LayerChromiumTests and CCLayerTreeHostImplTests. The rest is
just glue code.

heap/CopiedAllocator.h:
(CopiedAllocator): Friended the JIT to allow access to m_currentOffset.

heap/CopiedSpace.h:

(CopiedSpace): Friended the JIT to allow access to isOversize.
(JSC::CopiedSpace::allocator):

heap/Heap.h:

(JSC::Heap::storageAllocator): Added a getter for the CopiedAllocator class so the JIT
can use it for simple allocation i.e. when we can just bump the offset without having to
do anything else.

jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases): Added new slow case for op_new_array for when
we have to bail out because the fast allocation path fails for whatever reason.

jit/JIT.h:

(JIT):

jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateBasicStorage): Added utility function that allows objects to
allocate generic backing stores. This function is used by emitAllocateJSArray.
(JSC):
(JSC::JIT::emitAllocateJSArray): Added utility function that allows the client to
more easily allocate JSArrays. This function is used by emit_op_new_array and I expect
it will also be used for emit_op_new_array_buffer.

jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_array): Changed to do inline allocation of JSArrays. Still does
a stub call for oversize arrays.
(JSC):
(JSC::JIT::emitSlow_op_new_array): New slow path that just bails out to a stub call if we
fail in any way on the fast path.

runtime/JSArray.cpp:

(JSC):

runtime/JSArray.h: Added lots of offset functions for all the fields that we need to

initialize in the JIT.
(ArrayStorage):
(JSC::ArrayStorage::lengthOffset):
(JSC::ArrayStorage::numValuesInVectorOffset):
(JSC::ArrayStorage::allocBaseOffset):
(JSC::ArrayStorage::vectorOffset):
(JSArray):
(JSC::JSArray::sparseValueMapOffset):
(JSC::JSArray::subclassDataOffset):
(JSC::JSArray::indexBiasOffset):
(JSC):
(JSC::JSArray::storageSize): Moved this function from being a static function in the cpp file
to being a static function in the JSArray class. This move allows the JIT to call it to
see what size it should allocate.

In the Carbon event model, mouse event coordinates are flipped relative to the first screen,
whereas the coordinates we get from the WebMouseEvent are flipped relative to the screen where
the containing WKView is on.

Instead of passing the global coordinates to NPP_HandleEvent, convert them to the flipped screen coordinate
system that the plug-in expects.

There's no reason to disallow the matched style property cache for elements
that return something from additionalAttributeStyle(). The only requirement
for a property set to be cached is that it either doesn't mutate OR that it
invalidates the document's CSSStyleSelector when doing so.

This allows some more match caching for table-related elements, though we
are still held back by explicitly 'inherited' properties in html.css.

Moved LowLevelInterpreter.asm to LowLevelInterpreter32_64.asm. Gave offlineasm
the ability to include files, and correctly track dependencies: it restricts
the include mechanism to using the same directory as the source file, and uses
the SHA1 hash of all .asm files in that directory as an input hash.

llint/LLIntOfflineAsmConfig.h:

llint/LowLevelInterpreter.asm:

llint/LowLevelInterpreter32_64.asm: Added.

This is just the entire contents of what was previously LowLevelInterpreter.asm

Wrote the simplest possible implementation of activations. Big speed-up on
code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
Kraken) because they do not appear to have sufficient coverage over code
that uses activations.

Out-of-line name() and value(), and move the logic from parseAttribute()
into them instead. This makes the class a bit simpler and shrinks it by
two AtomicStrings. Also reduced isURLAttribute() to a two-liner.

This converts WebViewImpl from depending on CCLayerTreeHost to WebLayerTreeView in order to provide better
isolation and allow for future refactorings. The changes to WebViewImpl are mostly mechanical. The
WebLayerTreeView and WebLayerTreeViewClient interfaces have both grown and changed slightly:

Setup path for WebLayerTreeView changed to expose an initialize() function instead of a create() factory

function. The new model is that a WebLayerTreeView when constructed is in a null state. Calling initialize()
attempts to re-initialize the WLTV, which can either fail or succeed. All other functions must be called on a
successfully initialized view.

WebLayerTreeView expanded to include functionality that CCLayerTreeHost exposes but WebLayerTreeView did not.

Some of this is only valid for the single thread case and will be removed when we invert the scheduling control
logic, these bits are commented.

(WebCore::RenderFlexibleBox::layoutFlexItems): Move the flipping of RTL+column positions to its own method.
This might be a tiny bit slower, but it's clearer since it's not related to alignment.
(WebCore::RenderFlexibleBox::layoutAndPlaceChildren): Move the logical height calculation out of the loop. We only need the final height.
(WebCore::RenderFlexibleBox::alignChildren):
(WebCore::RenderFlexibleBox::flipForRightToLeftColumn):

Change TextTrackCue.alignment to .align, TextTrackCue.linePosition and .textPosition to .line
and .position, and TextTrackCue.direction to .vertical. Change direction values "horizontal"
to "","vertical" to "rl", and "vertical-lr" to "lr".

If a JPEG has no JFIF marker, the Adode Marker must be used to determine the image
color space for decoding via that markers transform value. Transform 0 images with
3 color components (RGB) fail to decode with libjpeg-turbo when a swizzle decoding
is active. Detect this case and decode using JCS_RGB output color space instead.

Split the fuzzy matching into separate functions so that they
can be sharded and run in parallel.

Also, fix a bug in the svn_blame_regexp that was causing us
to require ChangeLog lines to have at least one space after the
author, making the code require trailing whitespace in the
changelog in some places (this was making my life harder because
I have my text editor set to strip trailing whitespace in python
files, and that was causing test_parse_log_entries_from_changelog() to fail
when the whitespace on line 275 was removed).

Break the fuzzy matching tests into individual routines for
each contributor so that the intent is a little clearer, so
that it's easier to test individual names (and identify
duplicate tests), and so that we can eventually run
them in parallel.

Also, mark most of them as 'integration' tests so that they
can be skipped if we want to go fast (we leave a few as
regular tests for functional coverage).

Unfortunately, there isn't a testing frame work for
RuntimeEnabledFeatures. The main difficulty is that these static bools
need to be set when WebKit is initialized and can't be changed (which
is why they're not part of WebCore::Settings). To test them properly,
we'd need a testing framework that booted up WebKit for each test.

We could test this particular change (which doesn't need the bool to be
constant through the runtime of WebKit), but that would create a
sandtrap for future patches who might thing that this testing framework
can really be used to test RuntimeEnabledFeatures.

The net result is that Chromium is going to end up living with the
non-default codepath for these settings being untested, which will lead
to regressions like this one. If we ened up with a bunch of these
regressions, we'll likely end up with a testing framework similar to
Chromium's browsers_tests, which create a fresh subprocess for each
test.

(WebCore::valueForGridPosition): Check that we have the right translated grammar
(this function will be more useful once we implement more of the grammar).
(WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):

css/CSSStyleSelector.cpp:

(WebCore::CSSStyleSelector::applyProperty):
Added handling for the new properties.

css/CSSParser.cpp:

(WebCore::CSSParser::parseValue):
Allow only 'auto' or <integer>.

css/CSSProperty.cpp:

(WebCore::CSSProperty::isInheritedProperty):
grid-colum and grid-row are not inherited.

Some versions of Safari contain call sites to two functions in WebKit2
that were removed in r108730. Restore these two functions so that these
versions of Safari can be used with WebKit nightly builds.

Made captured variables work by placing a Flush on the SetLocal and
forcing the emission of the GetLocal even if copy propagation tells us
who has the value.

Changed the CFA and various prediction codes to understand that we can't
really prove anything about captured variables. Well, we could in the
future by just looking at what side effects are happening, but in this
first cut we just assume that we can't reason about captured variables.

Also added a mode where the DFG pretends that all variables and arguments
got captured. Used this mode to harden the code.

This is performance neutral. Capturing all variables is a slow down, but
not too big of one. This seems to predict that when we add activation
support, the amount of speed benefit we'll get from increased coverage
will far outweigh the pessimism that we'll have to endure for captured
variables.

It appears to be a race condition (on Chromium at least) between when
script executes and the style sheet resource response occurs. This
prevents some of the text to be output if the response occurs before
the call to set the flag to dump responses. Since the tests themselves
already test the results of loading stylesheets properly, this extra
text is superfluous and can be removed.

This change modifies all tests using link-load-utilities.js to dump
stylesheet resource responses. Other tests are using
dumpResponseResponseMIMEType, but for things other than stylesheets.

If another test runs prior to config_unittest and pokes the
cached configuration, the first test in config_unittest might
fail; the tearDown() will then allow subsequent tests to pass.
Clearing the configuration prior to each test makes things
slightly slower but safer.

The old way to initialize a WebGraphicsContext3D from inside WebKit was to call initialize() on it with a
WebView*. The new way to do this is via the WebViewClient interface. This deletes the old, unused path.

In moving pieces of DOMWindow.idl into separate files, we mistakenly
changed some of the license blocks. All these files should have a
license block that matches the file that originally contained the code.

Adds forwarding headers for Web*Layer* APIs and their dependencies. The forwarding headers for the Web*Layer*
APIs are temporary since Web*Layer* is not exposed in the client interface. The other headers (such as
WebColor) are exposed in both the client and platform APIs, so the forwarding headers are permanent, although we
might move them back down to public/ at some point.

This function is currently used to build markup in order to
print the selection, and will also be used to build markup for
the clipboard. Without this change, the markup will refer to
(for example) nonexistent CSS classes and invalid relative
paths and therefore will not be interpreted correctly.

Remove the canReload signal, instead assume that calling reload in those cases
won't have any effect.

Replace loadStarted, loadSucceeded and loadFailed by a single signal: loadingChanged.
The signal carries an argument with a status and error codes giving the intended context.

Use loadingChanged as the notification signal for the property "loading" instead of
navigationStateChanged.

Also update all API tests to use the new loading signals and add some utility functions
to track the loading since the new API aims to be more adapted to declarative logic
and the auto tests are using an imperative logic.

(WebCore::Document::implicitClose): Call HTML{LinkElement, StyleElement}::dispatchPendingLoadEvents() to
ensure that all pending Load events for link and style elements are dispatched before we fire the Load
event for the window.

dom/Node.h:

(WebCore::Node::notifyLoadedSheetAndAllCriticalSubresources): Added; as stated in its name, this method is
called once a style sheet and all its critical subresources (@imports) have loaded.

html/HTMLLinkElement.cpp:

(WebCore::loadEventSender):
(WebCore):
(WebCore::HTMLLinkElement::HTMLLinkElement):
(WebCore::HTMLLinkElement::~HTMLLinkElement): Modified to cancel all pending Load events on destruction.
(WebCore::HTMLLinkElement::parseAttribute): Register event listeners for Load and Error events regardless of whether we
built with link prefetch support.
(WebCore::HTMLLinkElement::setCSSStyleSheet):
(WebCore::HTMLLinkElement::dispatchPendingLoadEvents): Added; called from Document::implicitClose() to
ensure that all pending Load events for link elements have been dispatched before we fire the Load event
for the window.
(WebCore::HTMLLinkElement::dispatchPendingEvent): Added; called by EventSender.
(WebCore::HTMLLinkElement::notifyLoadedSheetAndAllCriticalSubresources): Added.

html/HTMLLinkElement.h:

(WebCore):
(HTMLLinkElement):

html/HTMLStyleElement.cpp:

(WebCore::loadEventSender):
(WebCore):
(WebCore::HTMLStyleElement::HTMLStyleElement):
(WebCore::HTMLStyleElement::~HTMLStyleElement): Modified to cancel all pending Load events on destruction.
(WebCore::HTMLStyleElement::parseAttribute): Register event listeners for Load and Error events.
(WebCore::HTMLStyleElement::dispatchPendingLoadEvents): Added; called from Document::implicitClose() to
ensure that all pending Load events for link elements have been dispatched before we fire the Load event
for the window.
(WebCore::HTMLStyleElement::dispatchPendingEvent): Added; called by EventSender.
(WebCore::HTMLStyleElement::notifyLoadedSheetAndAllCriticalSubresources): Added.

Adds missing implementation setValueForUser and setAutofilled to EFL's LayoutTestController.
Those implementations are related with input fields and allow to pass following tests:
fast/forms/onchange-setvalueforuser.html
fast/forms/input-autofilled.html
fast/forms/reset-autofilled.html

Adds missing implementation setValueForUser and setAutofilled to EFL's LayoutTestController.
Those implementations are related with input fields and allow to pass following tests:
fast/forms/onchange-setvalueforuser.html
fast/forms/input-autofilled.html
fast/forms/reset-autofilled.html

Support external references on <use> by introducing CachedSVGDocument.
CachedSVGDocument is a CachedResource specialized for SVGDocuments.
This CachedSVGDocument will be stored for every use element with external reference.
This first patch only contains the new classes to test whether it works on every platform.
So they aren't used anywhere and just a follow-up patch will bind them into the caching system.

Remove one loop by initializing array values at declaration time.
Also early return when the number of properties parsed are equals
with longhands count of the shorthand. It happens to be very often
the case (e.g. border). Instruments shows an improvement from 19ms
to 17ms on the time spent in this function for the css-parser-yui
benchmark.

The original change already included the code, but it led to some
problems, so it was reverted in ​http://trac.webkit.org/changeset/63845.
However, not removing the items leaks a considerable amount of memory,
so I'm adding the code back. The bug that led to the revert was that
the accessor was removed unconditionally. I'm now only removing it,
when the last item with that name is removed.

Addresses performance issues with draw culling by avoiding the work
of mapRect and other function calls when the quad has no opaque area.
And adds a TRACE_EVENT to watch the time spent in draw culling.

The crash happened because NodeRenderingContext tried to append a
child to a renderer regardless one isn't capable of holding any
children if it appears in the shadow attaching phase. RenderImage
is one of such renderer classes which aren't capable.

NodeRenderingContext decide whether the contextual node as a child
can create its renderer based on RenderObject::canHaveChildren()
and Node::childShouldCreateRenderer(). But the responsibility
between these two methods are getting confused. which results this
unfortuante crash path.

This change re-aligns the responsibility:

Now canHaveChildren() purely declares the ability of the
renderer. If the renderer is capable of having children, it
return true regardless of HTML semantics.

On the other hand, childShouldCreateRenderer() cares about the
semantics. If the element doesn't allow children to be rendered,
this returns false.

Note that these decision on elements are contextual. Each element
needs to know which role it is playing in the tree composition
algorithm of Shadow DOM. That's why the method parameter is changed
from Node* to NodeRenderingContext.

Fixed updateFirstLetter() which relied on this confused assumption.
This change introduces RenderDeprecatedFlexibleBox::buttonText()
to refine the relying assumption.

With this change, some decision points are moved from a renderer to an
element. Following renderers no longer stop reject having children:

Jump instruction is inserted to make short circuit,
however it does nothing but moving to the next instruction.
Therefore useless jump instructions are removed,
and jump list is moved into the case not for a short circuit,
so that only necessary instructions are added to JIT code
unless it has a 16 bit pattern character and an 8 bit string.

This patch adds performance micro-benchmarks for DOM attribute
getters and setters. We selected DOM attributes from HTMLElement,
Element and Node which will most impact on the DOM performance
in the real Web and which have different call-paths from another
DOM attribute.

Previously, we applied the patch using both apply-patch and
check-style. This patch introduces a check-style-local to mirror the
apply-watchlist-local, which operates on the current working diff.

This patch also cleans up some other bugs I found by running the queue
locally for a while. The queue still prints out a slightly
less-than-ideal message on the bugs when it find an error, but it's ok
for now. We'll need to iterate a bit.

We used to use this function to check whether the tree is red. Now, we
don't use external measures of whether to proceed with work items.
Instead, we analyze them with the idea in mind that the tree might be
red.

Add WebSocketDeflateFramer class which handles deflate-frame extension.
This class encapsulates WebSocketDeflater and WebSocketInflater classes,
which depend on zlib, so that WebSocketChannel is not necessary to aware
zlib dependency.

This is the second patch to land. The previous patch broke Chromium Win
release build. r108600 should fix the build failure. I also added
zlib entry to |export_dependent_settings| of |webcore_prerequisites|
target.

Manual test to see in milliseconds how quickly 100 writes followed by 100 reads take.
This test is ran twice and the average read and write for each of the 2 runs is shown.

ManualTests/cookieSpeedTest.html: Added.

Source/WebCore:

Added ManualTests/cookieSpeedTest.html as well as tested functionality
on the BlackBerry port with ​http://testsuites.opera.com/cookies/
Passes all non Cookie 2 tests since Cookie 2 is not implemented/supported at this time.
Error handling and extended tests do not all pass and will be updated with future bugs/patches.

drawLineForBoxSide handles painting lines for boxes which must be done on pixel boundaries.
Its interface doesn't make it possible to pixel snap properly within the function itself --
it draws one side of the box at a time, and the logical right and bottom lines can only be
properly determined using the logical top and left positions -- so it needs to be treated
like a graphics context function, whereby the caller handles the proper pixel snapping before
passing the values in.

No new tests. No change in behavior.

rendering/LayoutTypes.h:

(WebCore::pixelSnappedIntRectFromEdges): convenience function for returning a pixel snapped
int rect from four LayoutUnits that are its edges (as opposed to position and size).

(WebCore::RenderBoxModelObject::paintOneBorderSide): Side rects are now IntRects by the time
they get to paintOneBorderSide.
(WebCore::calculateSideRect): Properly use RoundedRect as IntRects instead of LayoutRects.
(WebCore::RenderBoxModelObject::paintBorderSides): Ditto.
(WebCore::RenderBoxModelObject::paintBorder): Ditto.
(WebCore::calculateSideRectIncludingInner): Ditto.

rendering/RenderBoxModelObject.h:

(RenderBoxModelObject):

rendering/RenderInline.cpp:

(WebCore::RenderInline::paintOutlineForLine): Outline widths are related to borders and stored
as ints. Removing an unnecessary conversion to LayoutUnits. Pixel snapping the edges of the box.

rendering/RenderObject.cpp:

(WebCore::RenderObject::drawLineForBoxSide): Moving back to integers and removing an
unnecessary pixelSnappedIntRect call.
(WebCore::RenderObject::paintOutline): Pixel snapping the column rule rect and using an integer
for outlineOffset.

Made CopyBlocks zero their payloads during construction. This allows
JSArray to avoid having to manually clear its backing store upon allocation
and also alleviates any future pain with regard to the garbage collector trying
to mark what it thinks are values in what is actually uninitialized memory.

(WebCore::Canvas2DLayerChromium::paintContentsIfDirty):
Profiling trace for the entire method, as well as for
calls to canvas flush and context flush, both of which may
cause deferred operation to be executed.

platform/graphics/skia/PlatformContextSkia.cpp:

(WebCore::PlatformContextSkia::bitmap):
Inserting a profiling trace in this method because it may cause
deferred draw commands to be executed.

When light children or shadow children are changed, we currently re-construct a shadow subtree.
However, when supporting multiple shadow subtrees, all shadow subtrees should be re-constructed.
So ShadowRootList should have re-construction flag instead of ShadowRoot.

Also, re-construction methods in ShadowRoot should be moved to ShadowRootList.

This simplifies the GraphicsContext3D initialization paths down to two simple codepaths, one for offscreen
contexts initialized from WebCore and one for onscreen (compositor) contexts initialized by WebViewImpl or
WebLayerTreeViewImpl.

Onscreen initialization path:
1) WebViewImpl or WebLayerTreeViewImpl request an onscreen WebGraphicsContext3D from either their WebViewClient
or WebLayerTreeViewClient, respectively
2) GraphicsContext3DPrivate::createGraphicsContextFromWebContext() wraps the WebGraphicsContext3D in a
GraphicsContext3D's m_private pointer.

There are no other initialization paths. Specifically, we do not support instantiating onscreen contexts from
within WebCore.

These two tests were in a set of tests that needed to be rebaselined
after a jpeg decoder change. However, there was also a text change
during this period that caused debug vs. release differences for text
spans in the SVG output. Filing a real bug so this can get looked at.

This change introduces FrameTree::scopedChild() and
FrameTree::scopedChild(), which can be used for scope-aware
frame lookup. Using these, the named accessor and the indexed
acceccor on Document, and Window.length are now TreeScope
aware. They don't count iframes in Shadow DOM.

This change also removes FrameTree::m_childCount since
Frame::childCount() is no longer in the hot
path. m_scopedChildCount is added instead.

SVG text metrics depend on the transform from renderer to the svg root
which requires that we propagate transform changes down to text.
This change adds a boolean for tracking transform changes to
SVGViewportContainers and SVGTransformableContainers, and updates
RenderSVGText::layout() to recalculate text metrics if the transform
of an ancestor has changed.

This notifies the chromium compositor of changes to the number of wheel event handlers via ScrollingCoordinator
instead of through ChromeClient/WebViewImpl. This is the path we'll use for other properties in the future and
is more extensible for handling things other than the root layer.

Property behavior is covered by new unit tests in LayerChromiumTests and CCLayerTreeHostImplTest.

page/scrolling/ScrollingCoordinator.cpp:

page/scrolling/ScrollingCoordinator.h:

(WebCore):
(ScrollingCoordinator):

Add a ScrollingCoordinatorPrivate so implementations can tack on additional data without having to #ifdef up
ScrollingCoordinator.h/cpp

page/scrolling/ScrollingCoordinatorNone.cpp:

(WebCore):
(WebCore::ScrollingCoordinator::~ScrollingCoordinator):

page/scrolling/chromium/ScrollingCoordinatorChromium.cpp:

(ScrollingCoordinatorPrivate):

ScrollingCoordinatorPrivate in the chromium implementation keeps a reference to the scroll layer.

Rework the clipping stack in TextureMapperGL.
Instead of saving a stack of IntRect scissor clips, we save every clipping change in the
stack, and reapply it when we end the clip. Popping the stack is almost free, since we
don't reapply the stencil but simply change the stencil test index.

In addition, we don't use a special shader for clipping, and we don't apply clipping for
masked children, since they're already clipped because they're rendered into an intermediate
buffer.

This fixes exiting tests in LayoutTests/compositing/overflow.
It also fixes asserts in the leaves demo, as well as asserts in nytimes.com and other sites.

Outside of exception handling, we don't know what our source line number is. This
change allows us to pass -1 is as the initial line number, and get the correct line
number in the resultant stack trace. We can't completely elide the initial line
number (yet) due to some idiosyncrasies of the exception handling machinery.

Previously, if we OSR exited because a prediction in a local was wrong, we'd
only realize what the true type of the local was if the regular value profiling
kicked in and told us. Unless the local was block-locally copy propagated, in
which case we'd know from an OSR exit profile.

This patch adds OSR exit profiling to all locals and arguments. Now, if we OSR
exit because of a mispredicted local or argument type, we'll know what the type of
the local or argument should be immediately upon exiting.

The way that local variable OSR exit profiling works is that we now have a lazily
added set of OSR-exit-only value profiles for exit sites that are BadType and that
cited a GetLocal as their value source. The value profiles are only added if the
OSR exit is taken, and are keyed by CodeBlock, bytecode index of the GetLocal, and
operand. The look-up is performed by querying the
CompressedLazyOperandValueProfileHolder in the CodeBlock, using a key that contains
the bytecode index and the operand. Because the value profiles are added at random
times, they are not sorted; instead they are just stored in an arbitrarily-ordered
SegmentedVector. Look-ups are made fast by "decompressing": the DFG::ByteCodeParser
creates a LazyOperandValueProfileParser, which turns the
CompressedLazyOperandValueProfileHolder's contents into a HashMap for the duration
of DFG parsing.

Previously, OSR exits had a pointer to the ValueProfile that had the specFailBucket
into which values observed during OSR exit would be placed. Now it uses a lazy
thunk for a ValueProfile. I call this the MethodOfGettingAValueProfile. It may
either contain a ValueProfile inside it (which works for previous uses of OSR exit
profiling) or it may just have knowledge of how to go about creating the
LazyOperandValueProfile in the case that the OSR exit is actually taken. This
ensures that we never have to create NumOperands*NumBytecodeIndices*NumCodeBlocks
value profiling buckets unless we actually did OSR exit on every single operand,
in every single instruction, in each code block (that's probably unlikely).

This appears to be neutral on the major benchmarks, but is a double-digit speed-up
on code deliberately written to have data flow that spans basic blocks and where
the code exhibits post-optimization polymorphism in a local variable.

This upstreams the abstraction used on Android for
hardware video decoding with the compositor.

Most of the interfaces are kept generic and the core
of this change is to allow texturing from an external
texture while receiving notifications (on the compositor
thread if we are running it) when there are new frames to
be displayed.

The bug was caused by ReplacementFragment::m_hasInterchangeNewlineAtEnd not reset even when
text field's beforeTextInserted event handler removed interchange new lines at the end.
Because the event handler is responsible for trimming new lines, we need to recompute the values
for m_hasInterchangeNewlineAt* after the event dispatch.

Test: editing/input/paste-text-ending-with-interchange-newline.html

editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplacementFragment::ReplacementFragment):

LayoutTests:

Add a regression test. Also make Markup.dump() dump the shadow DOM of the specififed node.

This simplifies the GraphicsContext3D initialization paths down to two simple codepaths, one for offscreen
contexts initialized from WebCore and one for onscreen (compositor) contexts initialized by WebViewImpl or
WebLayerTreeViewImpl.

Onscreen initialization path:
1) WebViewImpl or WebLayerTreeViewImpl request an onscreen WebGraphicsContext3D from either their WebViewClient
or WebLayerTreeViewClient, respectively
2) GraphicsContext3DPrivate::createGraphicsContextFromWebContext() wraps the WebGraphicsContext3D in a
GraphicsContext3D's m_private pointer.

There are no other initialization paths. Specifically, we do not support instantiating onscreen contexts from
within WebCore.

The assertion is caused with the following callstack:
WebCore::RenderLayer::convertToLayerCoords
WebCore::RenderLayerCompositor::layerWillBeRemoved
WebCore::RenderLayer::removeChild
WebCore::RenderLayer::removeOnlyThisLayer

WebCore::RenderLayer::removeOnlyThisLayer removes itself from the parent
before moving its children to its parent. When WebCore::RenderLayer::convertToLayerCoords
is called for one of the children, it tries to walk to root only to stop at the immediate
parent which was disconnected from the tree in WebCore::RenderLayer::removeOnlyThisLayer.
If removal of layer is delayed until the children has been moved, the ASSERT is avoided.

Add a new macro to handle the inclusion of the platform specific *.cmake files.
In the future this macro should get expanded to also handle feature specifc
files, like the UseJSC.cmake in WebCore we already have.

(WebCore::RenderBlock::moveChildrenTo):
Removed inline check that was redundant, switched to |while| to a |for|
to show what's going on more closely and adds a call to moveChildTo to
share more code between the 2 functions.

Moved touch cancel event layout tests from general skip list to the
Qt 4 specific one. The Qt 5 version we depend on has QEvent::TouchCancel, which
is all we need in order to implement touch cancellation in DRT/WTR.

In the upcoming Qt 5 builds the convenient setInputMethodHints method on QQuickItem
will be removed. There's no need for us to use it, we can implement passing the hints
to the input method right away in our re-implementation of inputMethodQuery, which works
with old and newer Qt 5 builds.

Revert the workaround introduced in r107868 and reintroduce
the qml binding so we can test the code path that we are more
interested in. The reason that it did not work before is that
we don't have an active platform window which we now workaround
by propagating the resize through QWindowSystemInterface.

The tiling code needed the current visibleContentsRect in order to be
able to create tiles, so we now make sure it gets it. We also needed
to make sure to set the trajectory vector while panning and while the
flicking engine was animating kinetic scrolling.

Added entering-fullscreen and leaving-fullscreen signals, meant to
be used by the user agent to be notified when an element requests
full screen display and when the full screen display is to be
disabled.